It's time! Need help in filing ACA?
Learn moreDismiss

HITRUST vs SOC 2: Leveraging the Best Path to Assurance

What does HITRUST certified mean?

HITRUST is an acronym for the Health Information Trust (HITRUST) Alliance, an independent testing organization that issues the Certified Security Framework (CSF) certification to vendors who successfully pass their rigorous security evaluation. The HITRUST CSF is build in collaboration with healthcare, technology and information security leaders, has established the HITRUST CSF, a comprehensive, prescriptive, and certifiable framework, that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data.

What does HITRUST certification cover?

The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards (including ISO, NIST, PCI, HIPAA, etc).

A validated assessment requires an independent auditor to assess compliance with the applicable HITRUST CSF requirements. A validated assessment must be performed for an organization to become HITRUST certified.

How does HITRUST certification compare to SOC2 Type II certification?

Some of the biggest names in health care require their service organizations, many defined as business associates under HIPAA, adopt the HITRUST Common Security Framework (CSF).Becoming HITRUST certified can certainly be a potential differentiator.

The reason SOC 2 is not enough lies in the big difference between the two services. SOC 2 is a reporting framework, while the HITRUST CSF is a control framework.

SOC 2 reports, developed by the American Institute of Certified Public Accountants (AICPA), are intended to meet the needs of a broad range of users who need information and assurance about the controls at a service organization that help maintain security, confidentiality, privacy, availability and processing integrity — the five Trust Services Criteria (TSC) categories. Organizations choose which of the five TSC categories to report on and engage an independent service auditor to determine whether controls are properly designed and operating effectively.

In contrast, the HITRUST CSF is a prescriptive control framework designed for the healthcare industry. And although the service organization/business associate may define the scope of the environment to be tested, HITRUST controls must be in place and applied to that entire covered environment.

Does HITRUST meet third-party reporting needs (such as SOC 2)?

HITRUST has developed a standard report that provides a consistent representation of risk exposure, compliance posture and corrective actions that allow for benchmarking of results against security practices at similar organizations in the industry. However, as noted previously, requests come in for other reporting attributes, such as response to security questionnaires, requests for proposals, description of processes and controls implemented to satisfy the HITRUST CSF, and assurance that controls have operated, as designed, for a fixed and continuous period of time (e.g., a rolling six- or twelve-month reporting cycle). Therefore, the HITRUST reporting model and the SOC 2 reporting model are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the CSF.

Additional references

Have any questions? We’d love to hear from you

Get in touch
Cookie Policy: We use regular cookies to ensure a great experience.
Got it
Cookie Policy: We use regular cookies to ensure a great experience.
Got it